The world's largest professional organization for computer engineers exposed user names, plaintext passwords, and website activity for almost 100,000 of its members, some of whom are employees of Apple, Google, IBM, and other large companies.

The sensitive information was contained in 100 gigabytes worth of website logs that were publicly available for at least a month on servers maintained by the Institute of Electrical and Electronics Engineers, according to a blog post published by a recent graduate and current teaching assistant at the University of Copenhagen. The 99,979 unique user names Radu Dragusin said he found in the cache comprises about 24 percent of 411,000 members counted in the 2011 IEEE Annual Report.

"It is certainly unfortunate this information was leaked out, and who knows who got it before it got fixed," Dragusin wrote. Elsewhere in the post he said: "If leaving an FTP directory containing 100GB worth of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome."

The exposure is problematic because it could provide outsiders with a candid view of the password choices of some of the world's most influential software and hardware engineers. Many Internet users employ the same or a similar password for multiple accounts, with the average person using just 6.5 passcodes to access 25 separate accounts, according to one landmark study. While there are no public reports of the data circulating on the Internet, many password crackers prefer to keep their password lists a closely guarded secret, so there's no guarantee the information isn't already being used to compromise IEEE members.

Even assuming members chose a randomly generated password that was unique to their IEEE account, Dragusin said the logs recorded more than 376 million Web requests made in a single month for ieee.org addresses.

IEEE officials didn't respond to an e-mail and phone call seeking comment for this article. Dragusin told Ars no one he knows who is a member of IEEE has received notification that their information was exposed.

According to a breakdown provided by Dragusin, a statistically significant sample of the exposed passwords he found are so overused that they typically take less than a second to be cracked by freely available programs such as Hashcat and John the Ripper. The password "123456" (minus the quotes) was used 271 times, while "ieee2012", "12345678", "123456789", and "password" were used 270, 246, 222, and 109 times respectively. Domain names in some of the exposed e-mail addresses included uspto.gov and ieee.org, among others.

Update: An IEEE spokeswoman emailed the following statement: "IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected. IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.

For the sake of not getting fired, I will just say I work in a field that handles Government clients, and everyone here would die of laughter from the passwords I see on a regular basis for them. No one really cares if their stuff gets used maliciously I guess, or perhaps they think it won't happen to them.

Edit: As was clearly stated, the graph was the first thing that told me this was the IEEE story. That's not a defect. Picking out the two favorite headline grabbing companies in the tech industry for a story that is not especially about them was the defect.

OK, I guess we'll have to agree to disagree about whether the passwords and potential password-choosing strategies of Google and Apple engineers is newsworthy. I sincerely believe it is, and as I said in a previous comment, if the space for headlines was bigger, I would have mentioned IBM, Oracle, and Samsung, as well.

At any rate, I appreciate you admitting that, contrary to your previous comment, this story is indeed new.

Eh, I guess I see your point. Although I don't think IEEE membership is exactly hard to get, I'm sure there are lots of lackeys at Google and other big companies with IEEE memberships. Doesn't really say much about Google at all.

Besides that, I highly doubt that password selection and quality of work (primarily code in this case) are correlated. What would be very important would be if Google were keeping passwords in plaintext.

To be clear, I don't think anyone should view Google, Apple, Oracle, IBM, or Samsung in a negative light because of this breach. The article isn't attempting to say anything about Google, just pointing out one of the possible victims of this exposure.

And what makes anyone think that these are the same passwords that the engineers use on any useful site? These are the types of passwords that you use for systems you don't care about at all.

Exactly. For any site I don't really care about and does not have any info that is not public anywhere else, I usually use password as my password. For everything else, I use Last Pass to generate a random string for me.

God, what a trolly title. IEEE leaks passwords of people from myriad backgrounds, and your headline mentions Google and Apple, but not IEEE.

Really tabloid quality journalism there.

Yea, I thought it was a new story until I saw the familiar graph. Seriously not cool Ars.

crhilton, what "familiar graph" are you referring to? The graph pictured in this article was published just today by the graduate student who discovered the exposure. If you don't like the article, fine, but please don't invent defects that don't exist.

mhjacobson, the only reason this is news is that IEEE exposed passwords and password strategies of engineers at some of the world's top companies. Recognizable names make news. Use of the names Google and Apple wasn't intended to be trolly. Just to communicate up front why the author thought people should care.

God, what a trolly title. IEEE leaks passwords of people from myriad backgrounds, and your headline mentions Google and Apple, but not IEEE.

Really tabloid quality journalism there.

IEEE doesnt have access to every web search we have ever done going back 10 years, nor to every email we have ever sent, nor to any ssh keys we might have mailed ourselves, credit card info, Tax Receipts, and on and on and on.

Dan, your headline was pretty much the opposite of being upfront. What "makes news" is of no consequence, and your attempt to play to that angle is below accepted journalistic standards, which is uncharacteristic of Ars.

Not to mention the fact which others have pointed out that many of the passwords are "IEEE2012" and the like; to imply that people use that password for, e.g., their e-mail, is dubious.

IEEE doesnt have access to every web search we have ever done going back 10 years, nor to every email we have ever sent, nor to any ssh keys we might have mailed ourselves, credit card info, Tax Receipts, and on and on and on.

By that logic absolutely every story should mention Google in the headline because it's bound to involve someone who has used Google for something at some point.

While gmail accounts make up 38% of the logins, Apple is so under-represented that the only data point for them is 0.2% for me.com - which is now shuttered anyway.

To be fair, there's no way to tell from the information provided how many Apple engineers were logging in with non-apple accounts, but yes, I think it's fair to call out that headline as trollish.

In the first paragraph of his blog post, the student who discovered the breach wrote: "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees." If headlines could be longer, the one for this article would have mentioned those other companies as well.

God, what a trolly title. IEEE leaks passwords of people from myriad backgrounds, and your headline mentions Google and Apple, but not IEEE.

Really tabloid quality journalism there.

Yea, I thought it was a new story until I saw the familiar graph. Seriously not cool Ars.

crhilton, what "familiar graph" are you referring to? The graph pictured in this article was published just today by the graduate student who discovered the exposure. If you don't like the article, fine, but please don't invent defects that don't exist.

mhjacobson, the only reason this is news is that IEEE exposed passwords and password strategies of engineers at some of the world's top companies. Recognizable names make news. Use of the names Google and Apple wasn't intended to be trolly. Just to communicate up front why the author thought people should care.

I saw the graph hours ago on a ieeelog.com. So it was ... familiar.

Edit: As was clearly stated, the graph was the first thing that told me this was the IEEE story. That's not a defect. Picking out the two favorite headline grabbing companies in the tech industry for a story that is not especially about them was the defect.

Dan, your headline was pretty much the opposite of being upfront. What "makes news" is of no consequence, and your attempt to play to that angle is below accepted journalistic standards, which is uncharacteristic of Ars.

Not to mention the fact which others have pointed out that many of the passwords are "IEEE2012" and the like; to imply that people use that password for, e.g., their e-mail, is dubious.

What makes news is of no consequence to what goes in a headline? Is that what you're saying?

And for the record, no, I doubt anyone is using 'ieee2012" as their email password. I don't think an objective reading of my article implies such, but if it does, I'm stating here that that's not what I believe.

What a dumb title. And what a bad graph. The graph makes it look like the number of password uses is fluctuating when going to the right, so 123456 is used less than ieee2012. Couldn't they have sorted them by decreasing count or similar? Or used a more suitable graph type instead?

As an IEEE member, I decided it was time to ditch my old password. Thanks Ars! (Also, no notice from IEEE). When I logged on, they required my user name to change to an email address instead of the unique randomly generated user name I had. I hate using email addresses as user names. It begs for spam and account linking!!

Edit: As was clearly stated, the graph was the first thing that told me this was the IEEE story. That's not a defect. Picking out the two favorite headline grabbing companies in the tech industry for a story that is not especially about them was the defect.

OK, I guess we'll have to agree to disagree about whether the passwords and potential password-choosing strategies of Google and Apple engineers is newsworthy. I sincerely believe it is, and as I said in a previous comment, if the space for headlines was bigger, I would have mentioned IBM, Oracle, and Samsung, as well.

At any rate, I appreciate you admitting that, contrary to your previous comment, this story is indeed new.

Edit: As was clearly stated, the graph was the first thing that told me this was the IEEE story. That's not a defect. Picking out the two favorite headline grabbing companies in the tech industry for a story that is not especially about them was the defect.

OK, I guess we'll have to agree to disagree about whether the passwords and potential password-choosing strategies of Google and Apple engineers is newsworthy. I sincerely believe it is, and as I said in a previous comment, if the space for headlines was bigger, I would have mentioned IBM, Oracle, and Samsung, as well.

At any rate, I appreciate you admitting that, contrary to your previous comment, this story is indeed new.

Eh, I guess I see your point. Although I don't think IEEE membership is exactly hard to get, I'm sure there are lots of lackeys at Google and other big companies with IEEE memberships. Doesn't really say much about Google at all.

Besides that, I highly doubt that password selection and quality of work (primarily code in this case) are correlated. What would be very important would be if Google were keeping passwords in plaintext.

If a group of 100,000 software engineers, among which work for the world's biggest tech companies, can't be held to good password policies, then there's no hope of adoption for a wider segment of people. Those policies are simply not suitable for human beings. Maybe in the future, all users can be replaced with random string generators.

Until that wonderful day, it's time to admit that the entropy fetishists masquerading as security specialists are wrong and devise security policies that are suitable for our species.

Edit: As was clearly stated, the graph was the first thing that told me this was the IEEE story. That's not a defect. Picking out the two favorite headline grabbing companies in the tech industry for a story that is not especially about them was the defect.

OK, I guess we'll have to agree to disagree about whether the passwords and potential password-choosing strategies of Google and Apple engineers is newsworthy. I sincerely believe it is, and as I said in a previous comment, if the space for headlines was bigger, I would have mentioned IBM, Oracle, and Samsung, as well.

At any rate, I appreciate you admitting that, contrary to your previous comment, this story is indeed new.

Eh, I guess I see your point. Although I don't think IEEE membership is exactly hard to get, I'm sure there are lots of lackeys at Google and other big companies with IEEE memberships. Doesn't really say much about Google at all.

Besides that, I highly doubt that password selection and quality of work (primarily code in this case) are correlated. What would be very important would be if Google were keeping passwords in plaintext.

To be clear, I don't think anyone should view Google, Apple, Oracle, IBM, or Samsung in a negative light because of this breach. The article isn't attempting to say anything about Google, just pointing out one of the possible victims of this exposure.

For the sake of not getting fired, I will just say I work in a field that handles Government clients, and everyone here would die of laughter from the passwords I see on a regular basis for them. No one really cares if their stuff gets used maliciously I guess, or perhaps they think it won't happen to them.

gotta love it. you have to go through a paywall to get to IEEE publications (which are largely taxpayer funded)... but if you want their passwords, its all in there somewhere.

How do you figure that? IEEE makes their money from selling memberships, journal subscriptions and hosting conferences (at extortionate rates), and the members/subscribers/attendees are a mix of students, professors and people who work in industry from around the world. Sure, government partially subsidizes universities and also provides some grant money for research, but to say it's "largely taxpayer funded" is quite a stretch.

And I see from the thumbnail that Ars is keeping the Skee-Lo theme going. Of all the loser, one-hit-wonder rappers to bring back from the dead ...

Not to mention the fact which others have pointed out that many of the passwords are "IEEE2012" and the like; to imply that people use that password for, e.g., their e-mail, is dubious.

True, but don't you think that someone who uses "ieee2012" as a password to the IEEE site is likelier to use the [sitename][year] combination for, eg, their E-Mail?

Password reuse doesn't have to mean someone uses exactly the same password for multiple accounts. Using the same PATTERN is very much a form of predictable reuse.

I think you're missing the point of "context" in password security. A security-conscious person is explicitly aware of the context of the password they are creating and will often create the password for a site such as IEEE –which safeguards little to no secure information– with an easily-remembered but low-effectiveness password, or password scheme. This method is called a tiered password scheme.

The users with "123456" as their password are more likely to understand this than not, as it would be considerably difficult to support the argument that an IEEE member believes that 1) "123456" is an effective password, and 2) is so effective that they should use it across all their accounts, "e.g., their E-mail".

The same can be extended to pattern passwords such as [sitename][year] even more, as this pattern adds a level of fuzzy logic required in order to allow one to use the site-specific password (if breached) to access other "throw-away-password" sites.

That said, there will always be outliers where people use passwords such as "123456" for all their passwords, as well as those that will maximum-complexity passwords for every individual password they require, regardless of context, but this article focuses on averages and that is what I'm addressing.

In the first paragraph of his blog post, the student who discovered the breach wrote: "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees." If headlines could be longer, the one for this article would have mentioned those other companies as well.

He's a student, you're a journalist. By your logic, why don't you just copy the entire story? You made a choice with that headline, and it's a rather disappointing one for a quality site like Ars.

So what exactly can an attacker do with a IEEE member's account, anyway? Can any members here tell us just how much of a "throw-away" site ieee.org is?

The only useful thing I ever do at IEEE.org is renew my membership. You can also access any journals for which you own a subscription, update your professional profile, vote for IEEE officers, and add subsociety memberships. The IEEE site does keep credit cards on file (shown as X's) for future orders.

If someone accessed my account, they could get personal information somewhat less detailed than my LinkedIn profile, my mailing address and phone number, and subscribe me to all the various subsocieties, which would charge several $100s to my credit card. I really just log in once or twice a year; I wonder if my password was leaked.

So what exactly can an attacker do with a IEEE member's account, anyway? Can any members here tell us just how much of a "throw-away" site ieee.org is?

Well, I like my @ieee.org email address (looks a lot more professional than aol.com). Oh yeah, and the paywall thing.

Other than that, I think that if you saved your CC info for automatic renewals and someone takes control of your account then you may get subscriptions to journals you never hear of (i.e. the IEEE journal on serendipitous developments in haptics)

Regarding the easy to guess passwords, maybe you should remember that the IEEE is over 125 y.o., so it also has members that cannot be bother with coming out with difficult passwords.

On other thing and if I recall correctly, few months ago the IEEE made me change my password for something more complex, and also the current password rules are:

Quote:

For security reasons, passwords:- are case sensitive- must contain between 8 and 20 characters- must contain at least one number- cannot contain the term "password"

For the sake of not getting fired, I will just say I work in a field that handles Government clients, and everyone here would die of laughter from the passwords I see on a regular basis for them. No one really cares if their stuff gets used maliciously I guess, or perhaps they think it won't happen to them.

So why should you see anyone's password?

Way back when the internet was dialup, I chose a small Chicago company as my ISP. They were mostly a UNIX shop, and they made a point of not knowing users' passwords. If you forgot, you would have to call them up, somehow convince them that you were who you claimed to be, and they would re-set your password with a use-once value. Apart from the possibility of a social engineering attack, pretty standard stuff in the UNIX world.

Then they cashed in and sold out to Mindspring (who sold out to Earthlink, Yahoo, AT&T,...) and I'm pretty sure my password is in a database somewhere where people like you can laugh at it.

They had this mostly figured out a long time. Why are you even able to see anyone's password?

While gmail accounts make up 38% of the logins, Apple is so under-represented that the only data point for them is 0.2% for me.com ... I think it's fair to call out that headline as trollish.

In the first paragraph of his blog post, the student who discovered the breach wrote: "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees." If headlines could be longer, the one for this article would have mentioned those other companies as well.

Yes, I noticed that when I checked the figures. I don't think that excuses the headline you choose to put on the story though, surely more thought than just copy-and-paste from source should go into a headline?

I love Ars, and I'm no Apple fanboy, this isn't the sort of thing I'd normally care about, but this one stuck out too far, sorry!

While gmail accounts make up 38% of the logins, Apple is so under-represented that the only data point for them is 0.2% for me.com ... I think it's fair to call out that headline as trollish.

In the first paragraph of his blog post, the student who discovered the breach wrote: "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees." If headlines could be longer, the one for this article would have mentioned those other companies as well.

Yes, I noticed that when I checked the figures. I don't think that excuses the headline you choose to put on the story though, surely more thought than just copy-and-paste from source should go into a headline?

I love Ars, and I'm no Apple fanboy, this isn't the sort of thing I'd normally care about, but this one stuck out too far, sorry!

OK, it's clear you and I have a fundamental disagreement about whether Apple and Google belong in the headline. That is abundantly clear. I respect your opinion, even though I don't agree with it.

What I don't understand is how even after I lay out my journalistic opinion (i.e. that it's highly relevant that IEEE exposed the passwords and password strategies of engineers at these companies) you characterize the move as "just [a] copy-and-paste from source." It's not that at all. It's me operating on my judgement that the identities of the potential victim companies is central to the story. Given the fact that I've laid out my rationale for the decision, I think it's misguided to claim the only reason to include the names is to mimic the original post.